Re: partial URLs ? (was

In message <>, Mike Meyer writes:
>Yes, having ".." (or "") as a path component creates interesting
>problems in writing relative URLs, and is probably a bad idea on any
>server. Yes, an attempt to access "../../../../etc/passwd" is probably
>someone trying to break into the system. However, it's up to the
>people running the server, not the spec, to decide what is and is not
>a security problem and deal with them.

It _is_ "up to the spec" to make implementors aware of such issues.
That's why SECURITY CONSIDERATIONS is mandatory in all RFCs, no?

(I agree that returning 403 on seeing /../ is a should, not a must)


Received on Wednesday, 20 December 1995 10:31:45 UTC